Vietnamese cybercriminals have employed the PXA Stealer tool to target 4,000 IP addresses, successfully compromising 200,000 passwords worldwide.

Cybersecurity researchers have identified a new wave of campaigns distributing a Python-based information stealer known as PXA Stealer. This malicious activity is believed to be orchestrated by Vietnamese-speaking cybercriminals who monetise the stolen data through a subscription-based underground ecosystem that automates resale and reuse via Telegram APIs. A joint report by Beazley Security and SentinelOne highlights a significant advancement in tradecraft, featuring sophisticated anti-analysis techniques, non-malicious decoy content, and a robust command-and-control pipeline designed to hinder detection efforts. The campaigns have reportedly infected over 4,000 unique IP addresses across 62 countries, including South Korea, the United States, the Netherlands, Hungary, and Austria. The data captured includes more than 200,000 unique passwords, hundreds of credit card records, and over 4 million harvested browser cookies.

PXA Stealer was first documented by Cisco Talos in November 2024, with its attacks primarily targeting government and educational entities in Europe and Asia. The malware is capable of harvesting passwords, browser autofill data, and information from cryptocurrency wallets and financial institutions. Stolen data is exfiltrated via Telegram and subsequently fed into criminal platforms like Sherlock, where downstream threat actors can purchase the information for cryptocurrency theft or organisational infiltration. The campaigns have evolved in 2025, employing DLL side-loading techniques and elaborate staging layers to evade detection. The updated stealer can extract cookies from Chromium-based web browsers by injecting a DLL into running instances, bypassing app-bound encryption safeguards. It also targets data from VPN clients, cloud command-line interface utilities, connected fileshares, and applications like Discord. PXA Stealer utilises BotIDs to link the main bot with various ChatIDs, which serve as Telegram channels for hosting exfiltrated data and providing updates to operators.